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I. f 1J> Executive Summary 



■ <TS//S1//N F j T he Business Records FISA Compliance Review Team of the National 
Security Agency (NS A), in response to instructions from the Director of NSA (DIRNSA) 
and as set out in DlRNSA’s Declaration of 13 February 2009 to the Foreign Intelligence 
Surveillance Court (FISC), conducted a comprehensive systems engineering and process 
review of the instrumentation and implementation of the Business Records (BR) FISA 
authorization. This review was focused along the two major components where 
compliance issues had been reported system -level technical engineering and execution 
within the analytic workforce. 



tT3//SI//NF) The review entailed 8 major system or process components of the BR FISA 
metadata workflow, 248 sub-components, and 93 requirements and resulted in 9 new 
areas of concern based on past practices as described herein. NSA has taken steps, 
described herein, to remedy the problems identified, and to ensure to the extent possible 
they will not recur. NSA has also developed plans for both the current and future 
architecture to provide more rigorous and efficient protection, control and monitoring of 
the BR FISA metadata. Implementation of the envisioned changes in architectural design 
and oversight procedures briefly described in this report will help mitigate vulnerabilities 
and correct the problems Identified through the course of the end-to-end review. 



- (C//REL TO US FVEY) T he end-to-end review revealed that there was no single cause 
of the problems that occurred and, in fact, there were a number of successful oversight, 
management and technology processes in place that operated as designed. The problems 
NSA experienced stemmed from a basic lack of shared understanding among the key 
mission, technology, legal and oversight stakeholders of the full scope of the program to 
include its implementation and end-to-end design. The complexity of the overall 
configuration, due in part to the intricacy of the system and the differing rules associated 
with NSA’s various authorizations, was also a contributing factor as was the fact that 
N SA oversight was primarily focused on analyst access to and use of the metadata. 



- (TS//SI/7NP) This report, which assumes a basic knowledge of NSA’s structure and some 
familiarity with the FISC documents and DIRNSA declarations associated with the BR 
FISA program, addresses previously identified and newly uncovered areas of concern, as 
well as the corrective actions already taken, and those on-going or planned, to address 
these issues. It details the scope of the end-to-end review, the methodology employed 
and the results. It also describes the minimization and oversight procedures NSA 
proposes to employ should the FISC decide to approve NSA’s resumption of previously 
authorized access to the BR FISA metadata, to include automated alerting and querying 
of the metadata, as well as the authority to establish whether a telephony selector meets 
the Reasonable Articulable Suspicion (“RAS”) standard for analysis (i.e., regular 
authorized access). Additionally, the report outlines the checks, balances and safeguards 
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engineered into the system; points to the need to clarify existing language in some cases; 
and describes enhanced training for the workforce that is designed to prevent future 
instances of non-compliance. Finally, the report includes a summary of a proposed 
technical architecture which will further protect BR FISA metadata. 



(TS//SLVNF) In conducting the end-to-end review. NS A established a diverse team of 
technical, legal and mission experts to examine jointly the key functional areas of system 
engineering, mission operations and oversight The NSA team created an architectural 
diagram of the end-to-end data and workflow' and examined each major system 
component and sub-component to ensure a complete understanding of how the data was 
handled. In addition, NSA compiled all BR F ISA-related requirements and evaluated 
each system and process component against those requirements to identify areas of 
concern or vulnerability. 

ttJ//rOUO) In moving forward, NSA will not only address the specific technical and 
process issues identified in this report, but will also implement changes in its program 
management construct to increase transparency and awareness among accountable parties 
and establish an enduring view' of the full scope of the program. 



4U//FOU0) NSA may produce additional supplements to this report to the extent 
necessary to respond to additional items that may be of interest to the court, 



II. ftWrOUQj Results of Detailed Analysis on Identified Areas of Concern 
A.|C77FOB6) Previously Reported Compliance Issues 

1 . TtTtfPeVQ) Telephony Activity Detection (Alerting) Process 
(IJ) Description 



(T3//S1//NF) As previously described to the Court/ NSA implemented an activity 
detection (alerting) process^ in a manner that was not authorized by the Court’s Order, 
and then inaccurately described that process in its initial and each subsequent report to 
the Court, NSA stated that only R AS -approved selectors were included on the Activity 
Detection List when, in fact, the list included those RAS-approved and non-RAS- 
approved selectors'’ which w ; ere also tasked for content collection by counterterrorism 



analysts tracking 



and associated terrorist organizations or, subsequent to 



1 tB//rOUO) See DIRNS A Declaration dated 13 February 2009, at Sections IH.A. and 1II.B. 

3 (U//FOUO) NSA now refers to the Alert Process and the Alert List as the Activity Detection Process and 
the Activity Detection List to more accurately describe their functions. 

NT2A I 'CI. ; ? HA In mid- January 2009, there were 1,935 RAS-approved and 15,900 n on- R A.S -approved 
selectors on the Activity Detection List. At that time, the Station Table (the reference database of ail RAS 
evaluations) had approximately 27,000 selectors identified as RAS-approved and 63,000 selectors 
identified as non-RAS -approved. 
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(IJ) Description 

4TC//S I//M F)" Between 24 May 2006 and 2 February 2009, NS A designated 
approximately 3,000 U.S. selectors as RAS-approved on the Station Table without 
undergoing the required OGC approval. This set. of numbers was derived from two time 
periods: 1 January 2005 to 23 May 2006 and 24 May 2006 to mid- December 2008. 

rtglV/Cl/C U-} Approximately 600 U.S. selectors that had been tipped to FBI and CIA 
between 1 January 2005 and 23 May 2006 as having ties to known, or probable, terrorist 
entities were added to the Station Table alter the BR FISA Order was issued in an effort 
to “jumps! art” the BR FISA operations. These 600 U.S. selectors did not undergo OGC 
review. 



"tTG/V'DI/.'T'iFl Between 24 May 2006 and 6 May 2009, NSA issued 277 BR FlSA-based 
reports, all of which were based on contact chaining of RAS-approved selectors. Included 
in these reports were tips to customers (FBI, CIA, NCTC, and/or ODN.1) of U.S. 
telephone numbers which had been in contact with a RAS-approved se lector associated 
with 

three hops of a RAS-approved selector. For those reports issued between 24 May 2006 
and mid-December 2008, NSA took the additional step of designating as RAS-approved 
in the Station Table the subset of these domestic selectors that were tipped as having ties 
to known., or probable, terrorist entities. However, these selectors did not undergo the 
required OGC review. For this entire period (24 May 2006 to 15 December 2008), the 
total number of U.S. selectors added to the station table as RAS-approved, but without 
the OGC review, was approximately 2,400. 10 



(TS//SI.//NF) At the time the RAS-approved portion of the Station Table was mistakenly 
implemented as the Activity Detection List in mid-January 2009, as described in Section 



9 

tTSASI//NF) The number of reports included in the DIRNSA Declaration of 13 February 2009 was 275, 
This was based upon information gathered on 6 February, Further review lias taken into account the fact 
that an additional report was issued after o Febmary, b ut before 13 February', Some of these reports had 
been cancelled for various reasons and some of the cancelled reports were reissued with corrections. 
Therefore, the correct number of unique reports as of the 13 February 2009 declaration should have been 
274, Since then, additional reports have been issued for a current total of 277 (as of 6 May 2009), The 
Declaration also stated that there were 2,549 selectors tipped in these reports. The actual number of 
selectors tipped in the 274 reports is 2,883. 

5 ir (T S/7 S I AN F } .A p pro x ima t e I y 1000 of these selectors from the post-23 May 2006 era were reported to 
customers as having only <m indirect connection to known or probable terrorist selectors. It was not NSA 
policy to include this category of numbers in the Station Table as ^RAS-approved" However, an error was 
made during a bulk upload to the Station Table of tipped numbers on 9 December 2008 and these numbers 
were inadvertently included They were present on the Station Table as RAS-approved until the entire set 
of 2,400 ITS, selectors were changed to "no t RAS-approved' on 3 5 December 2008 (six days later). An 
audit of the Alert system, the and the Transaction Database showed that no chaining in 

the BR FISA metadata was performed on these numbers during tins period. 
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II. A, 1 approximately 600 s s of the U.S. selectors from the Table had not undergone the 
required OGC review. Forty-six of these approximately 600 selectors generated alerts as 
a result of the actions described in Section II, A. 1 ; however, none of die resulting analysis 
based on these alerts yielded information that was subsequently tipped to customers. 



-(TG/ZC L7 N F }- Desi gnatin g these U.S. identifiers as R AS-approved without the required 
OGC review grew out of a related practice that NS A applied briefly to its development of 
the Telephony Activity Detection List in 2006. Specifically, in its first periodic report to 
the Court as directed in the initial May 2006 Order, NSA stated that U.S. identifiers that 
had been reported to FBI and CIA prior to 24 May 2006 because of their direct contact 
with international terrorism selectors had also been added to the alert list, even though 
they had not been qualified as seed identifiers and had not been reviewed by OGC, While 
Che initial report' explained to the Court the NSA rationale for the belief that these 
identifiers did not need to go through the full approval process to be included on. the alert 
list, the November 2006 90-day report also stated that the practice had ceased as of 1 8 
August 2006. Although the use of this process to add identifiers to the Alert List did 
cease on. that date, NSA failed to discontinue the process of adding selectors to the 
Station Table. 



(11) Remedial Steps 

(TS//8I//NF) In early February 2009, all selectors that the OGC had not reviewed were 
changed to A S -approved on the Station Table. 



B. (li) Newly Identified Areas of Concern 



2009 



[I Not Audited Prior to January 



(l!) Description 



-(TS//DI//NF)- J anu ary 2009 discussions between O versight and Compliance (O&C) and 
the BR FISA-authorized analysts revealed that the 

NSA’s repository for individual BR FISA metadata one-hop chains, had not been audited, 
prompting further investigation as part of the end-to-end review. Prior to that time, N SA 
O&C was not aware of its existence in the technical architecture and therefore did not 
audit the database. 



(U) Remedial Steps 



7SI//NF ) Between May 2006 and January 

logging capability recorded all queries via the analyst graphical user interface 



1 1 {TS//SI//NF} These were the approximately 600 from the pre-FIS A era; the others had been changed to 
“not R AS-approved’’ in mid-December 2008, The failure to remove these approximately 60(1 numbers was 
an oversight. The 600 selectors were changed to “non-RAS -approved" on the Station Tabic in early 
Februarv2009. 
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ita within the to include the user’s login. Internet Protocol (IP) address, 
oaie and time, and retrieval request -■ all fields required by the Order, Analysts use the 
to verify the specific call event details between two individuals — 
uch as which selector initiated each call, when the call was initiated and how long 
lasted. However, sometimes to verify the call details of a communi cation event 
yst uses the selector that was the first or second hop result as the retrieval request. 

; of this, the selector that was the RAS-approved seed is not always evident in the 

n January 2009, NSA took steps to augment the 

system log to include the 

proved seed that the user was asserting to be within two hops of the selector 
ueing queried. O&C began auditing queries to the database in February 2009. Since this 
enhanced auditing capability was added, O&C has audited the BR FISA-authorized 

" * ’ ’ ■ 5 and no evidence of improper queries. Although the 

suffered a system crash in September 2008, NSA 
mately able to recover sufficient data to permit O&C to conduct sample audits of 
since the Order’s inception. These sample audits revealed no unauthorized 
conducted queries against the EiR FISA metadata and no authorized analysts 
sd imorooer Queries of the metadata. 
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art Order and any future requirements. Reconstituting this 
rchitecture will ensure that it is established and supported 
uthentication/authorization services, use system security 
practices, are certified and accredited with approval to 
curily Plan (SSP), 12 and above all employ software 



i testify Analysts’ Use of BR FISA Metadata 
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see Appendix 1 , Glossary of Terms, for expansion and definition of 












mu& i curraiuy aumunzeu lu query ui 
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ntinued under the structure imposed l 
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. HbA metadata are responsible tor 
information and writing reports; this practit 
: March Court Orders. NS A believed such 
'as distinct from the bulk metadata itself) w 
ot included a description of it to the Court s 



iii addition, tne court orders prior to i March zuuy state mat any 
processing by technical personnel of the BR metadata acquired pursuant to this Order 
shall be conducted through the NSA’s private network, which shall be accessible only i 
select machines and only to cleared technical personnel, using secured encrypted 
communications." The end-to-end review' revealed that the way in which NSA protects 
the data is not precisely as stated in the Court Order; however we believe NSA’s 
implementation is consistent with the intent of preventing unauthorized users from 
accessing the data. For example, there are not specifically designated or "select" 
machines from which technical personnel access and process the data on NSA’s private 
secure network. The internal NSA communications paths on its classified networks are 
lot encrypted, but are subject to strong physical and security access controls 1 '' which 



[TS/ZSIZ/NF) The end-to-end review also revealed that data integrity analysts, in order to 
conduct their authorized duties, pull samples of raw' BR metadata into their private 
iirectories on the NSA network, which they access via username and password, to 
ioalvze the metadata in order to develop new parsing rules or prepare samples for spot 
:hecks. The private directories offered them a workspace to analyze the metadata using 
ools and applications that they could not invoke in the 

While the se private directories could be interpreted to be an additiona l data 

already 

lescribed to the Court, the BR FISA data is not accumulated as in. a true database 
■epositorv. The data integrity analysts are authorized to access the data, and any 
mportation to their own systems was deleted when no longer needed. 

Additionally, the review uncovered that data integrity analysts, in 
inducting their authorized duties, copied data into two shared directories created for 



1 he NSA complex is a Sensitive Compartmented Information Facility (SCIF) that is an 

.ccredited installation, incorporating strong physical and security access control measures (barriers, locks, 
iarm systems, armed guards), to which only authorized personnel are granted access. Within NSA. only 
pproved users of NSANET can. gain access to the network through login and password. Once on the 
idvvork, the user can only access the BR FISA metadata if additional access controls specifically allow 
uch access. Access to particular data sets is granted based on need-to-know and is verified via Public Key 
nfm structure tPKXi. 







restricted information with a controlled user set. These shared directories also offered 
access to similar tools and applications as mentioned above. NS A learned that roughly 
170 personnel who at one time had been cleared for sensitive metadata programs had 
access to tiles on this server. Approximately 15% of these personnel were system 
administrators or data integrity analysts; the remainder included intelligence analysts, 
managers and engineers. While it was possible for the files to be accessed by any of these 
personnel, it is unlikely that anyone other than data integrity analysts would have done so 
since it would have been outside the scope of their duties. 

(UT Remedial Steps 

notice was filed with the FISC on the matter of sharing results of queries 
within NSA as it relates to the BR FISA Order on 12 June 2009, While NSA believes the 
ability of BR F ISA-authorized analysts to share u nminim ized query results with the 

broader population of NSA analysis working 

is critical to the success of its counterterrorism efforts, effective 1 8 June 2009 NSA beean 
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(U) Description 

(T-S/ /S i V7N F r ) It was recently discovered that during the June through October 2006 
timeframe, in the process of implementing the initial BR FISA Orders, a few domestic 
numbers were designated as RAS approved and chained without OGC approval due to 
compound analyst errors. These errors occurred when analysts inadvertently selected the 
incorrect option in a GUI. The correct option would have designated the domestic 
identifier as needing OGC approval. The incorrect option put the domestic selector into a 
large list of foreign selectors which did not need OGC approval as pail of the RAS 
approval process, hi those cases where the Homeland Mission Coordinator (HMC) failed 
to notice the domestic number in the large list of foreign selectors and the RAS 
justification was approved, the number was chained. NSA continues to investigate this 
matter, but, based on available records, NSA’s initial estimate is this occurred fewer than 
ten times. NSA will provide additional information as appropriate. A notice was filed 
with the FISC on this issue on 29 June 2009. 



(U) Remedial Steps 

(TS//S 1.//NF) Each time an error was identified through quality control, senior HMCs 
provided additional guidance and training, as appropriate. Continued training and 
management oversight, in particular when new analysts arrived, helped ensure such 
errors were not repeated. 

8. (TS//SI//NF) External Access to Unminimized BR FISA Metadata Query 
Results 



(U) Description 



(TS//SI//NP ^ In examining NSA’s practice of sharing BR FISA meta data query results 
internally with other NSA analysts working author! zed 

■NSA 1 learned of CIA, FBI, and NCTC analyst access to 
unminimized BR FfSA metadata-derived query results and target knowledge information 
via an NSA counterterrorism database. This matter, just recently identified, was a 
collaboration practice that was in place prior to the inception of the BR FISA Court 
Order. Over time, approximately 200 analysts at CIA, FBI, and NCTC had been granted 
access to this target knowledgebase. When the BR program was brought under the 
jurisdiction of the FISA Court, this practice was not modified to conform with the 
Order’s requirements for the dissemination of BR FISA metadata-derived query results 
outside of NSA. A notice was filed with the FISC on this matter on 16 June 2009. 



(U) Remedial Steps 



- (TS//SI//NF) While NSA disabled the hyperlink button used by the external analysts to 
access this target knowledge database in the Summer 2008 timeframe, NSA learned, that 
the external analysts could have still accessed the data if they retained the URL address. 
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Upon identifying this as an area of concern on 1 ! June 2009, NS A began terminating 
external customer account access to the target knowledge database, completing the actior 
ay 12 June 2009. NSA is continuing to investigate this matter; audits are now underway 
:o determine the extent to which the query results may have been accessed. Once 
completed, NSA will provide a full explanation of this practice. 

9. of BR FISA Information 



vcTtY«4^_.wheii an NSA analyst determines that information identifying a U.S. persoi 
s critical to inclu.de in a metadata report, he or she is required to obtain dissemination 
luthorization from the designated NSA approving office in accordance with the Court’s 
Jrder. Specifically, the order requires that prior to disseminating any U.S, person 
n formation outside of the NSA, the Chief of Information Sharing Services must 
tetermine that the information is related to counterterrorism information and is necessary 
o understand the information or to assess its importance. In fact, the Chief of 
n formation Sharing Services, when unavailable, has in the past delegated this authority, 
ypically to the Deputy Chief. Additionally, after hours or in an emergency situation, this 
luthority has also been delegated to NSA’s Senior Operations Officer (SOO) in its 
slational Security Operations Center (NSOC). 
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fyTG//SI//NI2) NSA is currently conducting a review of any BR FISA metadata-derived 
reports that contained U.S. person identifying information to determine consistency with 
the Court’s Order, Once this is completed, the results will be provided. 




111. NSA’s End-to-end BR FISA Review 

A. (U) Scope 

~ frS//GI//NF) NSA established a team of experts to conduct a thorough end-to-end 
systems engineering and process review of the BR FISA metadata workflow. The team 
reviewed 93 requirements extracted from the March 2009 BR FISA Court Order, 
Application and Declaration; dataflow diagrams; and system documentation (to include 
systems engineering and security plans) to ensure a complete understanding of how the 
requirements were being met prior to 2 March 2009, how well they are currently being 
met, and what changes may be needed to ensure compliance. The team then used these 
requirements as a basis to examine six key aspects (systems architecture, analyst 
workflow, management control, compliance auditing, oversight, and training) of NSA’s 
handling of BR FISA metadata, and to establish a comprehensive plan to ensure that all 
requirements are addressed and properly implemented, 

(TS//S I//N F ) - Another critical step in preparing to conduct the end-to-end review was to 
identify and map how all the system components fit together. Lack of such end-to-end 
awareness contributed to the problems initially reported to the FISC. 1 *’ The 
systems/processes reviewed were; 



1 . 

9 

3. 

4. 

repository for individual BR FISA metadata one-hop chains 

5. the Telephony Activity Detection (Alerting) Process 

6. the Reasonable Articulable Suspicion (RAS) Approval Process 

7. the BR FISA Analytic Tools and Processes 

8. the BR FISA Analyst Decision and Reporting Process. 



, NSA’s corporate file transfer/distribution system 
[CNSA’s corporate contact chaining system 



. NSA’s 



'’- ftJ.’.TOUO) See Declaration of the Director of the National Security Agency (DIRNSA) dated 13 
February 2009. 
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wing processes: fixe Activity Detection (Alerting) Process , the RAS Approval 
BR FISA Analytic Tools/Processes , and the BR FISA Analyst 



Decision/Reporting Process to identify, query, analyze and ultimately disseminate 
information derived from the metadata. These eight components, past of a large and 
complex system, are further described in Section III.C. and pictured in Figures I- 10. 



Figure 1 provides a top-level v 
the eight components, while F 
greater detail. Each componen 



sw of the overall architectural system, Figure 2 highlights 
ures 3-10 highlight each of the individual components in 
s reflected with corresponding colors in the diagrams. 



■fTS//SI//?.ip In concert with this systems engineering end-to-end review, NSA conductor 
a thorough review' of its analytic processes, management controls, auditing mechanisms, 
oversight and training for the BR FISA metadata handling. This included a thorough 
examination of each activity, tool and analytic process to assure that it operated in 
compliance with the Court Order. The review led to several additional audits to ensure 
that no compliance incidents had occurred and to examine whether or not the individuals 
who worked with the BR FISA metadata fully understood the applicable authority and 
limitations. Documentation and training were also updated. Each part of the review 
compared the component or process being reviewed with the relevant requirement from 
the list extracted from the Court documents. 



-fTSf'/fjfl'V'NID NSA's systems engineering and workflow review's surveyed the processes 
and tools as they existed before any remedies were implemented. This retrospective 
evaluation enabled NSA to develop the near-term corrective measures necessary for 
current Court-approved operations and potential resumption of regular access to the BR 
FISA metadata should it be authorized by the Court. It also informed plans for 
incorporating the BR FISA flow into the NSA future architecture more effectively. 

B. (U) Methodology: 

NSA employed a repeatable and well-documented process in conducting its 
end-to-end review'. NSA derived technical requirements from the legal requirements 
governing BR FISA metadata handling. As noted, NSA simultaneously began to develop 
an end-to-end systems engineering diagram of the systems and databases that support BR 
processing arid storage. NSA also developed and conducted Initial Privacy Assessments 
(IPAs) which include a standard set of questions used to determine, among other things, 
whether the system or process under review' interacts with data that could contain 
information about U.S. persons. The outcome of the IPA determines whether a more in- 
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NSA’s corporate file forwarding service, provides for 
distribution of the BR FISA metadata from the collection source to the analytic 
repositories. It accepts files from sources and transports those files to the end destinations 
identified in the filename given to the file by the source system. 



i J (GV'RTL TO USA, FVEY) The IP A/P! A framework provided a way for the Agency to assess compliance 
risk. This framework was not. used to supersede any Court -derived requirements. Both the IP A and Pi A 
templates were based on Department of Defense (DoD), DoJ or Homeland Security Privacy Assessment 
frameworks and then adjusted for the SIGINT environment. While IPAs and PI As are not required for the 
Intelligence Community', they provided a sound methodology Sir the systems engineering end-to-end 
review. 
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configuration-eontrolIeSnSumte^ihe other seven BR FISA analytic tools examined 
were developed in whole or in part by engineers working in the Counterterrorism 
Organization to meet constantly changing mission requirements, resulting in limited 
configuration and change management control. All seven of these tools were either 
monitored through existing O&C audits or were subjected to new audits and/or review s 
as part of the end-to-end review. With the exception of 0 
■Band GUI, none of these tools are currently able to access the BR. FISA 
metadata. 

(TS//S1//NF) To mitigate risk in the future, NSA will transition the BR FISA analytic 
tools and processes to the corporate NSA enterprise architecture and will no longer 
develop tools within the Office of Counterterrorism. Complete end-to-end testing will be 
conducted for all tools against a standard set of BR FISA, requirements to ensure they are 
fully compliant prior to resumption of automated operations if authorized by the Court. 

8. (U/?F€Rl£>) Analyst Decision and Reporting Process 

f FS//SI//NF) The Analyst Decision and Reporting Process encompasses the target 
knowledge, guidelines and procedures that enable intelligence analysts to determine what, 
information meets customer requirements. It also involves the evaluation and 
minimization procedures intelligence analysts employ when analyzing data and drafting 
and disseminating reports. 

(TS//SI//NF ) Prior to the alert list shutdown on 24 January 2009, the BR FISA analyst 
decision and reporting work flow began when an HSAC analyst was notified of a match 
between a known selector of counterterrori sm interest and an identifier in the ingested 
BR FISA metadata, when an analyst received an RFI from a customer, or when an 
analyst was continuing analysis on an existing target set. Aside from the activity 
detection list, the process remains the same today on selectors that are specifically 
approved in accordance with the Court’s Orders, If NSA has reason to believe the 
information constitutes valid threat-related activity, NSA applies US SID 18 to minimize 
information concerning U.S. persons and then reports the information to the FBI, CIA, 
NCTC and ODNI, and other customers, as appropriate. 

(TS.VSJANF) NSA reviewed its analytic workflow to ensure the BR FISA metadata was 
appropriately handled, analyzed and disseminated. Three new areas of concern, discussed 
in Section ILB, were identified with the BR FISA Analysis Decision and Reporting 
Process in addition to that which was previously described to the CourT" and discussed in 
Section II. A. 



! TD77P©HO)tSee Supplemental DIRNSA Declaration dated 25 February 2009, at 8, Section 2 
ilii &dd rood ate anal vs I ciuerv in 2 ). 
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As a by-product of the end-to-end review, NSA has updated the interim 
analytic BR FISA Standard Operating Procedures (SOP) to ensure compliance with the 
current Court Orders and is coordinating this document with DoJ as required by the 
Court. This SOP outlines step-by-step instructions for the authorized intelligence analysts 
in handling the BR FISA metadata; describes the procedures used to control access to the 
BR FISA metadata; provides the steps used to conduct weekly audits of the analysts’ 
queries and tools; and details the methodology used to query the BR FISA metadata 
under newly established Imminent Threat Concept of Operations guidelines. NSA will 
continue to maintain the SOP and CONOP as “living documents” and update them as 
needed. 



‘Tf^b £ SI*/N£)LNSA also continues to maintain and regularly update an 1 1-step 
comprehensive checklist that outlines both the Homeland Mission Coordinator and 
analyst responsibilities in the BR FISA metadata analysis and reporting process, The 
checklist is comprised of over 30 components that require analysts to answer a variety of 
questions, including whether the proposed report falls within the scope of BR FISA 
authorities and express OGC guidelines; whether NSA attempted to get additional 
information about the selector from the FBI and CIA integrees at NSA; and whether 
cellular identifiers were checked to detenu ine if the user had roamed into another 
country. The checklist also reminds analysts to detail the infomiation/intelligence 
source(s) that prompted the report’s production. 



(TS//SI//NF) in addition, NSA has in place a combination of web pages and on-line aids 
dedicated to end-product reporting and dissemination guidance. These detailed working 
aids, together with required USSID 18 training for ah BR FISA-approved intelligence 
analysts, require that any NSA BR FISA-based reporting that contains U.S. person 
information follow NSA’s standard minimization procedures found in USSID 1 8 and the 
Court Order, 

IV. (jjy7retI0\NSA s s Minimization and Oversight Procedures 



- (TS//SI//NF) NSA has well-documented and long-standing minimization procedures for 
ensuring protection of U.S. persons’ information in SIGINT analysis and reporting under 
all SIGINT authorities, to include the FISA Order. NSA’s normal regime of compliance 



oversight for handling the BR FISA is a comprehensive, multi-pronged approach 
involving DoJ and NSA’s OGC, O&C, Office of the Inspector Genera! and SID. 
Currently, NSA is required to consult with DoJ on all significant legal opinions involving 
BR FISA metadata handling. DoJ meets with the appropriate NSA representatives at least 
once every renewal period to review' the program. Prior to the 2 March Court Order that 
the FISC make all RAS determinations, DoJ also conducted “spot checks” to review a 
sampling of justifications (RAS determinations) for querying the metadata. NSA, in turn, 
provides internal oversight to the BR FISA program by a variety of oversight controls 
and compliance mechanisms to prevent, detect, correct and report incidents and 
violations of the procedures, to include technical physical and managerial safeguards 
such as: examining samples of call-detail records to ensure NSA. is receiving only 
compliant data; ensuring analysts are trained in the querying, dissemination and storage 
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.The OJT component has always been administered by an experienced HMC 
or senior analyst experienced in conducting OJT, This training specifically addresses how 
analysts are permitted to use the BR FISA metadata, reinforces the unique privacy 
concerns and handling requirements of this data, and demonstrates the various tools that 
can be used to query the BR FISA, metadata. In addition, each HMC and authorized 
intelligence analyst is required to sign a user agreement, documenting that he or she has 
read and understands the obligations associated with handling the BR metadata. 



~TFSb ¥S I//N E jt N S A has also begun to provide tailored briefings to all technical personnel 
that have been granted access to the BR FISA metadata. The tailored briefings outline 
the categories of data obtained under the BR FISA Court Order and the restrictions 
associated with the technical personnel’s duties. For example, the briefings make it clear 
that the Collection Managers and System Administrators are not authorized to query the 
BR FISA metadata for foreign intelligence purposes. The briefing also outlines the 
correct offices to contact if the technical personnel see possible compliance issues in the 
course of their duties. 



tTS//3I//NF) As part of the BR FISA training redesign, complete training records will be 
maintained by ADBT for each individual. The documentation will include the test score, 
answers to Individual test questions, and performance feedback from the OJT component. 
This documentation will allow for tracking of access to the BR data on an individual 
basis. 



V. (tl77FOXlQ) NSA’s Future Architecture 

(TS//SI//NF) Using principles of system engineering, configuration, management and 
access control, NSA has considered the future implementation of the BR FISA program 
including the automated activity detection process to be used should the Court authorize 
NSA to resume regular access to the BR FISA metadata. 

A. ( WFOUO ) Future BR FISA Activity Detection (Alerting) Process 

(TS//S1//NF) NSA. could resume automated activity detection in a fully compliant manner 
should the Court approve. NSA would maintain an Activity Detection (alert) List 
containing only RAS-approved selectors. Only the RAS-approved selectors on this “BR 
Identifier List” would be compared to the BR FISA metadata. With Court approval to 
resume automated querying, NSA will work with NSD/DoJ to ensure the BR Identifier 
List will he populated with only those selectors that the Court has authorized. Should the 
Court grant NSA RAS decision authority, NSA would begin to augment the BR Identifier 
List with additional identifiers that NSA approves as having satisfied the RAS standard, 
using the improved processes and training identified in this document, 

B. (U) Future of Overarching Architecture 
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TTS.VS L r 1 T 1 the future, should the Court authorize NSA to resume regular access to 

the BR FISA metadata, NSA will migrate the data How and life cycle management of the 
BR FISA metadata to its next generation system architecture which offers more effective 
and efficient management and control. This architecture is designed to he flexible enough 
to adapt to changes in the legal and oversight requirements, while conforming to 
applicable governing authorizations such as EO 12333 and BR FISA, 

(Tl?7P©41Q}_hi the future architecture, the end-to-end BR FISA dataflow will he referred 
to as a system “thread.” As such, NSA would manage the entire capability via a “Thread 
Engineering Team” to guide the requirements development, systems integration, use-case 
development, testing/validation and planning for current and. future enhancements. 

Thread engineers would meet with representatives from the OGC and O&C to define and 
validate requirements prior to development. System-wide configuration management 
would he implemented to log the expected software builds and patches. Such practices 
exist now', hut there is no thread focused on the Business Records process. 

ITS . 73 L '/M F)-The proposed systems supporting BR FISA dataflow and life cycle within 
the next generation architecture encompass both technical- and personnel -based strategies 
to ensure that data is accessed, retained and purged in full compliance with authorities 
granted to NSA by the FISC. Moreover, the implementation of centralized processes and 
databases will ensure that all aspects of the dataflow will continue to be tracked and 
audited to further ensure that any non-compliance issues can be promptly identified and 
addressed. Plans for addressing key requirements for BR FISA metadata are as follows: 



1 . / Access Control 



new access control application will be applied to all databases and 
systems supporting the BR FISA workflow. This application will validate the credentials 
of users to govern what systems they are approved to access, and validate that their 
required training is current. PKI, which offers security measures for identification and 
authentication, as well as for access control, and audit capability will be used to manage 
users with access to the raw' data or query results. 



2. Standardization 

(T&].'VSI//NF)-A data standardization platform will date-stamp the incoming BR metadata 
and ensure its consistent and accurate structure. This will allow' quick, and accurate dale- 
based purging once the Court-ordered time frame has been reached, 

3 . (TJ7/FetlQ£ Databasing RAS Selectors 



(TS//SI//NP ) - An updated and improved centralized target, knowledge database for storing 
telephony and email selectors has been under development since October 2008. This 
database will enable more efficient storage and retrieval of key information about each 
BR FISA telephony identifier such as its RAS status and the justification, and OGC 
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approval as appropriate, for those that have been RAS-approved. These features are 
scheduled for completion during the fourth quarter of FY09. 

4. Analytical Processing and Call Chaining 

lTS7¥S4/fNJE) An enhanced call chaining function and data processing capability will 
support large volumes of automated algorithms, handle growing ingest rates and deliver 
faster query responses. Additionally, the metadata wall be stored using security tags, a 
measure which can be used to restrict the visibility of individual entries in the database to 
personnel with the appropriate access credentials. 

5. '(t?7/f£C^JOTA uditing and Monitoring 

( tfr/FQUQ- ) Enhanced auditing will provide a means to track a data user’s activity 
patterns, the state of a user’s operations, and the frequency and composition of queries. 

A formal metrics and monitoring system will also be used to monitor the status of the 
end-to-end processing and will alert management and operations personnel when 
processing anomalies are detected. 

VI. (II) Conclusion 

-fTSASF.^lFj. As discussed above, NS A has thoroughly reviewed the technological 
systems, analytic workflows and processes associated with its implementation of the BR. 
FISA Court Order, and has introduced corrective measures to address specific concerns 
and vulnerabilities. These new measures will ensure a balanced focus on technological 
solutions and management controls. The end-to-end review' also revealed areas for 
improvement which have been documented and will continue to he addressed. Where 
changes were made impacting current manual operations, a combination of system 
evaluations, demonstrations and audits provided confidence that the technical fixes are 
actually configured and operating as intended. 

4 TS//SI//NF) The remedial actions described in this report are subject to ongoing 
improvement and will support strict adherence to the Court Order. Although no 
corrective measure is infallible, NSA has taken significant steps designed to eliminate the 
possibility of any future compliance issues and to ensure that the mechanisms are in place 
to detect and respond quickly if one were to occur. 
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Figure 10: Component of BR FISA Process addressed In End- to- End Review 
“BR FISA Analyst Decision and Reporting Process” 
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Emphatic Access Restriction (EAR 



See Automated Chaining and Analysis Too! 
and GUI 

A list of foreign and domestic telephone 
selectors believed to be associated with 
terrorist targets. The Activity Detection 
List is independent of the Station Table. 
Formerly called the Alert List, this list is 
now more commonly referred to as the 
Activity Detection List in order to be more 
descriptive. 

See Activity Detection List 
A database used to store correlations 











initi 


a! Privacy Assessment (JPA) 
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See Initial Privacy Assessment 



1 NSA’s corporate file transfer/d 
j system 


istribution 


| NSA’s corporate contact chain 


mg system, j 



Metadata 


“Data about the data”; for example, 
information about a telephone call, to 
include the calling and called numbers, 
time of call, etc. Metadata does not include 
content. 




The repository for individual BR FISA. 




metadata call records for access by 
authorized Homeland Security Analysis 
Center (HSAC) and data integrity analysts 
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A selection management system used to 
manage and task selectors, such as 
telephone numbers, IMETs, and IMS Is, to 
many different information collection 
systems worldwide. 


Parsing Rules 


A method for separating data into 
standardized data fields. 


PI A 


See Privacy impact Assessment 


PKI 


See Public Key Infrastructure 


Public Key Infrastructure (PKI) 


An information assurance service that 
supports digital signatures and other 
public-key based security mechanisms, and 
offers security measures such as 
identification and authentication, access 
control and audit capability. 


Privacy Impact Assessment (PI A) 


An in-depth, standardized review of 
privacy concerns for a particular system or 
process 


Requirements 


The terms contained in the governing BR 
FISA metadata documents that must be 
satisfied as part the end-to-end workflow, 


Sanitize 

\ 


The process of disguising intelligence to 
protect sensitive collection sources, 
methods, capabilities or analytic 
procedures in order to disseminate to 
customers at a classification level they can 
use. 


Seed ] 


An initial selector used to generate a chain 
query. 


Selector 


An identifier, in BR FISA realm could be 
an IMEI, 1MSI, or MSISDN, as well as a 
telephone number. 




This tool is used by HMC's to conduct 




contact chaining against BR FISA metadata 
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